Defense in Depth
How to Deal with Last Minute Compliance Requirements

Staying on top of regulations is a headache for every CISO. But this isn’t just about compliance. What happens when regulations disrupt the sales process?

Check out this post by Geoff Belknap, co-host of Defense in Depth, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and John Overbaugh, CISO, Alpine Investors. Joining us is our sponsored guest, Pukar Hamal, founder and CEO at SecurityPal.

Listen to the full episode here.

When business moves faster than security

The tension between closing deals and maintaining your security posture is a tale as old as time for security leaders. Steven Jensen, CISO, Magellan Health, has seen organizations pursue contracts before the right controls are in place, often agreeing to implement security measures by contract execution. "Security and business are not always aligned," Jensen notes. "Sometimes it's due to a lack of maturity, missing controls, limited resources, or budget constraints. That gap can introduce real risk and financial exposure."

Andrew Wilder, CSO, Vetcor encountered this dynamic when a Middle East client demanded configuration screenshots, something he refused to provide. "Anything that impacts a potential sale is escalated quickly and to the highest possible level," Wilder said. "Eventually, the business accepted the risk in order to make the sale."

Turning obstacles into opportunities

Smart security teams don't just react to unexpected compliance requirements; they transform them into competitive advantages. When Mike Wilkes of Columbia University hit a roadblock with TISAX, a German automotive industry standard, his team didn't just comply. "We became experts immediately, downloading everything we could find on the standard and worked up a nice mapping from the more common regulatory controls," Wilkes explained. That initial challenge became instrumental to follow-on business as more suppliers needed TISAX expertise.

Louis Zhichao Zhang of AIA Australia takes a similar approach to urgent requests. "If the request is truly urgent and has a clear business impact, we drop what we're doing, prioritize it, break it down, and conquer it." But he emphasizes the learning component as equally important. "We document what happened, build an internal knowledge base, and if it's likely to repeat, we turn it into a process or SOP (standard operating procedure)."

The art of saying "not like that"

The most effective security teams have mastered the balance between enabling business velocity and maintaining security posture. Aniket Kulkarni, global CISO at Circles describes handling a "must-go-live by tomorrow" request that needed full production access with zero notice. Rather than blocking the request, his team "staged a safe replica, scoped access with Zero Trust principles, and enabled delivery without compromising posture."

"Security didn't say 'no,'" Kulkarni emphasizes. "We said 'not like that' and found a better, faster way together." This approach transforms security from a bottleneck into an enabler, letting business get what they needed to get done with safe adoption.

Know your regulatory landscape

Sometimes the biggest security wins come from understanding what regulations apply to your situation. Anatoly Chikanov of HealthEquity frequently encountered NERC-CIP certification requirements when working with energy utility customers. His approach involved "taking a deeper look at regulation and at our product and finding that we didn't really fall under the scope of regulation because we wouldn't have moved enough load on the grid to satisfy regulatory requirements." Chikanov recommends taking time to closely examine regulations and determine if they're even applicable. "Often, third-party risk teams on the opposite side think it applies to you as a vendor, but that's not always the case."

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, SecurityPal

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Super Cyber Fridays!
Join us NEXT WEEK, Friday [09-05-25], for "Hacking AI in Meetings"

Join us Friday, September 5, 2025, for “Hacking AI in Meetings: An hour of critical thinking about how to avoid liability while getting value from your recordings.”

It all kicks off at 1 PM ET / 10 AM PT, when David Spark will be joined by Joe Essenfeld, CEO, FORA, and Doug Mayer, vp, CISO, WCG, for an hour of insightful conversation and engaging games. And at 2 PM ET / 11 AM PT, stick around for our always-popular meetup, hosted right inside the event platform.

Register now

Thanks to our Super Cyber Friday sponsor, FORA

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Johna Till Johnson, CEO and founder, Nemertes.

Thanks to our Cyber Security Headlines sponsor, Prophet Security

Cyber chatter from around the web...
Jump in on these conversations

“How do you know when it's time to leave SOC?” (More here)

“Major password managers can leak logins in clickjacking attacks” (More here)

“Sloppy AI defenses take cybersecurity back to the 1990s, researchers say” (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [09-05-2025] [Hacking AI in Meetings]

• [09-12-2025] [Hacking Managed Services]

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.